Project

General

Profile

Actions
Copy link

Feature #7012

open

Add dns.response sticky buffer

Added by Nathan Scrivens 4 months ago. Updated 18 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Nathan Scrivens
Target version:
TBD
Effort:
medium
Difficulty:
Label:

Description

Add DNS sticky buffer dns.response that will allow a signature to trigger on any name and rdata field over all sections in a DNS response message.
This allows simplified policy configuration and matching on all relevant fields in a dns response (instead of multiple signatures, each looking at a specific field).
This also addresses a gap where all sections / records are not currently exposed for matching.

I have a solution that iterates through all records per section in a response, checking:
  1. the "name" field in each record
  2. the "rdata" field in each record. For rdata, there is some logic limiting the "type" that will be checked to those that could contain domain names such as MX, NS, SOA, CNAME, PTR, ...

I plan to open a PR soon if there is interest in this feature.

Related issues 1 (1 open0 closed)

Related to Suricata - Feature #2448: Add additional buffers for DNS ResponsesNewOISF DevActions
Actions
Copy link
 #1

Updated by Jason Ish 4 months ago

Last time I asked a similar question, the answer was that specificity was preferred, and this lead to dns.answer.name and dns.query.name and I expect this to get more complete in time.

So I'd be keen to hear interest in this field.

Just a note: dns.response is a little open in the naming department.

Actions
Copy link
 #2

Updated by Nathan Scrivens 4 months ago ยท Edited

  • Assignee changed from OISF Dev to Nathan Scrivens

Thanks for the feedback Jason.

Here is a little extra context. For our organization we are running in IPS mode, and are interested in triggering on any potential record in a DNS response message that could match our signatures / datasets.
Needing to reference every individual field for each section will add complexity and replication to our signature set.
For example, we want to match on:
  • question section: name field
  • answer, authority, additional sections: name and rdata fields
    This would be seven unique fields, which would translate to seven signatures just for DNS response traffic (even more if we want to have different signature / action combinations). It would be much simpler to have a generic way to fully match a DNS response.

I can see value in both implementations. Exposing unique fields for those who want to write a specific signature, but also having the option to match against all fields easily for those who want to match on everything possible in a response with a single signature.

The name isn't important, we could change that if you feel dns.response is too open. It seemed to me like a nice description, as the result is matching on the entire DNS response.

Actions
Copy link
 #3

Updated by Nathan Scrivens 3 months ago

I have made progress on this, but it also has dependencies on: https://redmine.openinfosecfoundation.org/issues/7011
Once that feature is merged I'll be able to open a PR.

Do you have any other suggestions for a name if "dns.response" is too open?

Actions
Copy link
 #4

Updated by Jason Ish 3 months ago

  • Related to Feature #2448: Add additional buffers for DNS Responses added
Actions
Copy link
 #5

Updated by Nathan Scrivens 18 days ago

  • Status changed from New to In Review
Actions
Copy link

Also available in: Atom PDF